Tor Browser news: Three vulnerabilities allow spies to detect Tor browsers

The Tor browser logo displayed on a smartphone
(Image credit: Shutterstock)

Tor, once known only by network nerds, has now become something of a hot topic. This is thanks largely to the anonymous network's reputation for hosting drug marketplaces like Silk Road, and other unsavoury sites.

But what exactly is Tor? What is it good for? Does it have any legitimate uses? And how can those not versed in the finer details of network technologies actually access it?

Tor latest news

08/04/2017: The Tor browser discloses information that a determined attacker could potentially use to identify who uses the browser to surf the web, according to a computer forensic expert.

Dr Neal Krawetz revealed the issues in his blog last week, suggesting that instead of masking the identity of the user through layers of encryption, Tor browsers do give away details about the person surfing the dark web.

The first issue Krawetz encountered is to do with the window and screen size. Most browsers set the window size smaller than the screen size but Tor sets the two as the same. This means JavaScript can immediately detect the Tor browser, making the user vulnerable because they can be denied access to the site.

The second issue he found is that the Tor browser tries to size the Window at 1,000 x 1,000 pixels but if the screen is smaller then it chooses a width that is a multiple of 200 pixels and a height that is a multiple of 100 pixels.

However, on Mac OS, the browser sometimes miscalculates the initial Window size, an inconsistent problem that he puts down to the height of the dock. This means that a user can be profiled: if the Tor browser window size is a multiple of 200 across but not a multiple of 100 tall then it is a Tor Browser on Mac OS X.

The third and last issue is to do with the scrollbar size in the Tor browser. The browser does not normalise the viewport size, so if scrollbars are displayed then the viewport size can be subtracted from the windows size to find out the thickness of scrollbars. This can then be used to find out which operating system a user is on, as different OS's and desktops use different default thicknesses.

Krawetz pointed out the scrollbar thickness for a number of platforms, including: "The Tor browser on MacOS 10.11 uses a default thickness of 15 pixels. The Tor browser on Windows 7/8/10 uses scrollbars that are 17 pixels thick. The Tor browser on Linux uses scrollbars that are 10-16 pixels thick."

He then said that if you can detect the Tor browser - as possible in the first issue, and the scrollbars are 17 pixels thick, then you can work out that it's the Tor browser on Windows. He added: "If the scrollbars are 15 pixels thick, then it's either Linux or Mac OS X (check the window height to distinguish Mac from Linux; see issue #2). And any other thickness denotes Linux."

Krawetz stated how hard it is to report an error to the Tor Project. Even though the project asks on its website and Twitter for users to report security issues, when he has he has usually been met with silence. "Over the last few years, I've tried to report some of these profiling methods (and solutions) to the Tor Project, but each time has resulted in failure," he wrote."Often, my attempts to report a vulnerability or profiling risk has been met with silence."

03/04/2017: Tor browser will rely on more Rust code

The Tor browser will take greater advantage of the Rust programming language developed by Mozilla to keep user interactions more secure, it has been revealed.

Although Tor developers have been gunning for the news for a long time (since 2014, in fact), the Mozilla-powered code will play a bigger role in the secretive browser's future.

According to Bleeping Computer, Tor developers met last week to discuss the future of the private browser and decided to use more of the C++-based code in future, hoping to replace the majority of its legacy C and C++ base in the coming months or years.

"We didn't fight about Rust or Go or modern C++. Instead, we focused on identifying goals for migrating Tor to a memory-safe language, and how to get there," Tor developer Sebastian Hahn said.

"With that frame of reference, Rust emerged as a extremely strong candidate for the incremental improvement style that we considered necessary."

The reason why it decided to make such a big change was because a tiny mistake in the C programming language used in the current version of Tor could have a huge impact on users, Tor developer Isis Agora Lovecruft said on Twitter.

"A tipping point in our conversation around 'which safe language' is the Tor Browser team needs Rust because more & more Firefox is in Rust. Also the barrier to entry for contributing to large OSS projects written in C is insanely high."

13/12/2016: The first sandboxed version of the Tor Browser was released in alpha last weekend, bringing privacy fans one step closer to secure browsing.

Version 0.0.2 of the software was released by Tor developer Yawning Angel on Saturday, who is tackling the project largely single-handed. Official binaries are yet to be released, but early adopters can take it for a spit by compiling the code themselves from GitHub.

The project has been a labour of love for Yawning Angel. "We never have time to do this," he said back in October. "We have a funding proposal to do this but I decided to do it separately from the Tor Browser team. I've been trying to do this since last year."

The efforts have been given new urgency by a zero-day vulnerability in Firefox. Discovered last month, the error was being used to de-anonymise Tor users, as the browser is heavily based on Firefox code.

Sandboxed instances of Tor are different from the normal version in that they run in a self-contained silo. This means that if an attacker uses an exploit against the browser, the amount of data it can collect through it from the rest of the machine and operating system is limited.

However, Yawning Angel has stressed that the software is still a very early alpha, and cannot be trusted to be entirely secure. "There are several unresolved issues that affect security and fingerprinting," he wrote as part of the software's README.

01/12/2016: A zero day vulnerability found in both Firefox and Tor web browsers has been exploited in the wild, allowing attackers to target users for their IP and MAC addresses.

Internet security firm Malwarebytes first discovered the flaw, which was shown to be almost identical to the one used by the FBI to expose Tor browser users in 2013.

"The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code," said Daniel Veditz, security lead at Mozilla, in a blog post on Wednesday.

Hackers were able to exploit Tor and Firefox browsers to send user hostnames and IP and MAC addresses to a remote server identified as 5.39.27.226, which has now been taken down.

"The goal is to leak user data with as minimal of a footprint as possible. There's no malicious code downloaded to disk, only shell code is ran directly from memory," said Jerome Segura, lead malware intelligence analyst at Malwarebytes.

"Browsers and their plugins remain the best attack vector to deliver malware or leak data via drive-by attacks," added Segura.

Malwarebytes recommend users adjust the security settings of their Tor browser to 'High' within the privacy settings, which will thwart any similar attacks of this kind. Users running the Malwarebytes Anti-Exploit tool will already by protected from the vulnerability. Both Mozilla and Tor have released patches to address the security flaw.

What is Tor?

The term ‘Tor’ can be used to refer to both the anonymous Tor network and the Tor Browser software used to access it. Designed for privacy and anonymity, it is used by journalists, hackers, privacy campaigners and criminals alike, and with around 2.5 million daily users, it’s the internet’s biggest avenue of anonymous online activity,

The system’s aim is to prevent a user’s web activity (such as traffic, communication and search history) from being externally traced, usually by government or law enforcement agencies. It’s commonly used to access what’s known as the Dark Web – hidden servers which are often used to host black market transactions.

Onion routing explained

Tor was originally known as The Onion Router, so named because it uses onion routing encryption protocols. This essentially functions like ‘pass-the-parcel’; data packets sent through Tor are secured with multiple layers of encryption.

They are then sent in a randomised pattern through Tor’s network of volunteer relay nodes. At each point in the relay, a layer of encryption is peeled away, which reveals the next point in the chain. Once the last layer of encryption has been removed, the data is passed on to its intended destination.

The key factor here is that each relay in the chain can only see the network location of the node immediately before and after it – the one it received the data from, and the one it’s sending it to.

This means that at no point along the chain are both the sender and recipient’s network details visible at the same time, and thus can’t be linked.

Hidden services

Tor is simply a network system, and can be used to provide untraceable access to any internet service or website. It’s often used as an innocent precaution by those who don’t want their actions traced by increasing levels of online government surveillance.

However, Tor also has a sinister side: the Dark Web. For obvious reasons, the prospect of untraceable web activity has proved very attractive to certain elements of society, and Tor has now become synonymous with varying levels of criminal activity.

Almost all of this activity occurs on servers inaccessible via standard web connections, known as ‘hidden services’. These servers are configured to only accept traffic coming from the Tor network, ensuring anonymity for both the server’s operator and its users. They are also inaccessible from standard browsers.

Hidden services are extremely popular for the trade and distribution of illegal or objectionable materials. According to a study by Dr. Gareth Owen, narcotics alone are the subject of around 15 per cent of hidden services on the Dark Web, with hacking, fraud and counterfeiting all being popular topics.

Infamous Dark Web marketplaces like Silk Road and Evolution have brought this topic to the fore, and law enforcement agencies are becoming increasingly more aware of these services. The Tor network has apparently remained secure so far, but the US government, in particular, is heavily invested in cracking Tor’s integrity.

Deep Web VS Dark Web

While many use the Deep Web and the Dark Web synonymously, important to note the distinction between the two.

As defined by Michael K. Bergman in his 2000 paper on the subject, the Deep Web refers simply to content that is not indexed by search engines, and thus extremely difficult for the average user to find.

The Dark Web, by contrast, is designed to be hidden from the rest of the internet. It consists of ‘darknets’; sub-sections of the internet which can only be accessed through systems like Tor.

The Dark Web is largely comprised of illegal or antisocial activity, while the Deep Web is often made up of innocuous but irrelevant web pages, such as archived content, multimedia elements or non-linked pages.

How do I use the Tor Browser?

If you’re looking to use Tor, be it for exploring the Dark Web or just for a little extra privacy, the first thing you’ll need is the Tor Browser, downloaded through The Tor Project’s website. It’s designed to be the best way to use Tor and is specially-configured to encrypt and protect your web traffic.

Available for Linux, Mac and PC, just download the Tor Browser installation file from the Tor Project’s website, install it like any other browser, and following a brief setup, you’ll be all set to use Tor.

You’ll also need a little patience. The relay method that makes Tor secure also means that it’s not quite as fast as a regular broadband connection, so you might find yourself waiting longer than usual for pages to load.

If you’re just looking for the security of knowing no-one will be able to trace your everyday internet activity, then you’re now all set to use Tor. Simply browse as normal, and the Tor network will do all the work to ensure that you’re kept safe from prying eyes.

If you want to dive into the murky territory of the Dark Web, however, you’ll need to do a little homework first. It’s not quite as simple as users may be used to, and given its dangerous nature, it’s best to go in prepared.

Before you do anything else, we’d advise anyone thinking of engaging in any Dark Web activity to ensure they’ve got the most up-to-date security possible; you never know who’s out there, after all. Also, be very, very careful not to accidentally break any laws, and make sure you know where you’re browsing to.

Once you’ve got Tor set up, you’ll need to start looking for Dark Web sites. Unlike regular websites, Tor’s hidden services aren’t accessible through regular web searches and don’t have conventional web URLs.

Instead, they’re accessed through .onion addresses, which are 16-character alphanumeric strings, randomly generated when the hidden service is created. The .onion address for The Tor Project’s homepage, for example, is http://idnxcnkne4qt76tg.onion/

Unless you know its specific address, you won’t be able to access the hidden service. Some are a closely-guarded secret, but many of the more common Dark Net sites (both criminal and legitimate) are catalogued by directories like The Hidden Wiki, available as both a regular website and a hidden service.

There are also basic search engines like Torch, which crawl and index Dark Web sites based on content. They’re nowhere near as sophisticated as regular search engines, though and are at a disadvantage due to the Dark Web’s clandestine nature.

Proxies and Tor2Web

Of course, there are ways to access Dark Web sites without using the Tor Browser itself. Tor2Web is a project that uses Tor-based proxies to let users access Tor hidden services without using the Tor Browser itself.

With a standard web browser, adding the suffixes .to, .city, .cab or .direct to the end of any .onion Tor link will send your connection through to a proxy server configured to use onion routing protocols. This server will then visit the address on your behalf, and relay the page contents back to your browser.

However, while this method is far easier than installing the Tor Browser, it is inherently traceable and provides no anonymity to the user. Using the dedicated browser remains the safest method of traversing the Dark Web for anyone with more than an academic interest in its contents.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.